mirror of
https://github.com/AFLplusplus/AFLplusplus.git
synced 2025-06-17 04:18:06 +00:00
fix expand havoc for ..._only modes
This commit is contained in:
van Hauser
@ -19,6 +19,7 @@ sending a mail to <afl-users+subscribe@googlegroups.com>.
|
|||||||
- eliminated CPU affinity race condition for -S/-M runs
|
- eliminated CPU affinity race condition for -S/-M runs
|
||||||
- expanded havoc mode added, on no cycle finds add extra splicing and
|
- expanded havoc mode added, on no cycle finds add extra splicing and
|
||||||
MOpt into the mix
|
MOpt into the mix
|
||||||
|
- fixed a bug in redqueen for strings
|
||||||
- llvm_mode:
|
- llvm_mode:
|
||||||
- now supports llvm 12!
|
- now supports llvm 12!
|
||||||
- fixes for laf-intel float splitting (thanks to mark-griffin for
|
- fixes for laf-intel float splitting (thanks to mark-griffin for
|
||||||
|
|||||||
@ -31,8 +31,8 @@
|
|||||||
/* this lets the source compile without afl-clang-fast/lto */
|
/* this lets the source compile without afl-clang-fast/lto */
|
||||||
#ifndef __AFL_FUZZ_TESTCASE_LEN
|
#ifndef __AFL_FUZZ_TESTCASE_LEN
|
||||||
|
|
||||||
ssize_t fuzz_len;
|
ssize_t fuzz_len;
|
||||||
unsigned char fuzz_buf[1024000];
|
unsigned char fuzz_buf[1024000];
|
||||||
|
|
||||||
#define __AFL_FUZZ_TESTCASE_LEN fuzz_len
|
#define __AFL_FUZZ_TESTCASE_LEN fuzz_len
|
||||||
#define __AFL_FUZZ_TESTCASE_BUF fuzz_buf
|
#define __AFL_FUZZ_TESTCASE_BUF fuzz_buf
|
||||||
|
|||||||
@ -859,26 +859,34 @@ __attribute__((constructor(CONST_PRIO))) void __afl_auto_init(void) {
|
|||||||
|
|
||||||
void __sanitizer_cov_trace_pc_guard(uint32_t *guard) {
|
void __sanitizer_cov_trace_pc_guard(uint32_t *guard) {
|
||||||
|
|
||||||
// For stability analysis, if you want to know to which function unstable
|
// For stability analysis, if you want to know to which function unstable
|
||||||
// edge IDs belong to - uncomment, recompile+install llvm_mode, recompile
|
// edge IDs belong to - uncomment, recompile+install llvm_mode, recompile
|
||||||
// the target. libunwind and libbacktrace are better solutions.
|
// the target. libunwind and libbacktrace are better solutions.
|
||||||
// Set AFL_DEBUG_CHILD_OUTPUT=1 and run afl-fuzz with 2>file to capture
|
// Set AFL_DEBUG_CHILD_OUTPUT=1 and run afl-fuzz with 2>file to capture
|
||||||
// the backtrace output
|
// the backtrace output
|
||||||
/*
|
/*
|
||||||
uint32_t unstable[] = { ... unstable edge IDs };
|
uint32_t unstable[] = { ... unstable edge IDs };
|
||||||
uint32_t idx;
|
uint32_t idx;
|
||||||
char bt[1024];
|
char bt[1024];
|
||||||
for (idx = 0; i < sizeof(unstable)/sizeof(uint32_t); i++) {
|
for (idx = 0; i < sizeof(unstable)/sizeof(uint32_t); i++) {
|
||||||
if (unstable[idx] == __afl_area_ptr[*guard]) {
|
|
||||||
int bt_size = backtrace(bt, 256);
|
if (unstable[idx] == __afl_area_ptr[*guard]) {
|
||||||
if (bt_size > 0) {
|
|
||||||
char **bt_syms = backtrace_symbols(bt, bt_size);
|
int bt_size = backtrace(bt, 256);
|
||||||
if (bt_syms)
|
if (bt_size > 0) {
|
||||||
fprintf(stderr, "DEBUG: edge=%u caller=%s\n", unstable[idx], bt_syms[0]);
|
|
||||||
}
|
char **bt_syms = backtrace_symbols(bt, bt_size);
|
||||||
}
|
if (bt_syms)
|
||||||
}
|
fprintf(stderr, "DEBUG: edge=%u caller=%s\n", unstable[idx],
|
||||||
*/
|
bt_syms[0]);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
*/
|
||||||
|
|
||||||
__afl_area_ptr[*guard]++;
|
__afl_area_ptr[*guard]++;
|
||||||
|
|
||||||
|
|||||||
@ -673,8 +673,8 @@ static u8 rtn_extend_encoding(afl_state_t *afl, struct cmp_header *h,
|
|||||||
|
|
||||||
for (i = 0; i < its_len; ++i) {
|
for (i = 0; i < its_len; ++i) {
|
||||||
|
|
||||||
if (pattern[i] != buf[idx + i] ||
|
if (pattern[i] != buf[idx + i] || o_pattern[i] != orig_buf[idx + i] ||
|
||||||
o_pattern[i] != orig_buf[idx + i] || *status == 1) {
|
*status == 1) {
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
|||||||
@ -1304,7 +1304,8 @@ int main(int argc, char **argv_orig, char **envp) {
|
|||||||
afl->expand_havoc = 1;
|
afl->expand_havoc = 1;
|
||||||
break;
|
break;
|
||||||
case 1:
|
case 1:
|
||||||
if (afl->limit_time_sig == 0) {
|
if (afl->limit_time_sig == 0 && !afl->custom_only &&
|
||||||
|
!afl->python_only) {
|
||||||
|
|
||||||
afl->limit_time_sig = -1;
|
afl->limit_time_sig = -1;
|
||||||
afl->limit_time_puppet = 0;
|
afl->limit_time_puppet = 0;
|
||||||
|
|||||||
@ -5,23 +5,19 @@
|
|||||||
#include <stdint.h>
|
#include <stdint.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
int main(int argc, char *argv[]) {
|
int main(int argc, char *argv[]) {
|
||||||
char buf[1024];
|
|
||||||
|
char buf[1024];
|
||||||
ssize_t i;
|
ssize_t i;
|
||||||
if ((i = read(0, buf, sizeof(buf) - 1)) < 24)
|
if ((i = read(0, buf, sizeof(buf) - 1)) < 24) return 0;
|
||||||
return 0;
|
|
||||||
buf[i] = 0;
|
buf[i] = 0;
|
||||||
if (buf[0] != 'A')
|
if (buf[0] != 'A') return 0;
|
||||||
return 0;
|
if (buf[1] != 'B') return 0;
|
||||||
if (buf[1] != 'B')
|
if (buf[2] != 'C') return 0;
|
||||||
return 0;
|
if (buf[3] != 'D') return 0;
|
||||||
if (buf[2] != 'C')
|
if (memcmp(buf + 4, "1234", 4) || memcmp(buf + 8, "EFGH", 4)) return 0;
|
||||||
return 0;
|
|
||||||
if (buf[3] != 'D')
|
|
||||||
return 0;
|
|
||||||
if (memcmp(buf + 4, "1234", 4) || memcmp(buf + 8, "EFGH", 4))
|
|
||||||
return 0;
|
|
||||||
if (strncmp(buf + 12, "IJKL", 4) == 0 && strcmp(buf + 16, "DEADBEEF") == 0)
|
if (strncmp(buf + 12, "IJKL", 4) == 0 && strcmp(buf + 16, "DEADBEEF") == 0)
|
||||||
abort();
|
abort();
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user